Dusting off the compliance manual

Registration with the US Securities and Exchange Commission (SEC) came down like a crashing wave on private equity and real estate managers in 2012. Suddenly, after decades of being off the SEC’s radar, Dodd-Frank forced these managers to adopt compliance best practices cultivated over a lifetime by their more registration-experienced counterparts.

It’s why life under the SEC’s purview hasn’t always been easy, and some registrant duties are proving more difficult to fulfill than others. Take appointing a chief compliance officer. Most firms find this task an easy one—with a small pay raise, they place the compliance hat on the CFO and call it a day. But after that straightforward exercise is completed, the CFO has to begin wondering what to include in the firm’s compliance manual, a job without a clear finish line in sight. 

GPs may be under the mistaken belief that bulkier, more complex compliance manuals are the safe bet when it comes to satisfying the commission’s expectations. It’s a problem Gary Swiman, EisnerAmper partner and a compliance expert with more than 25 years of industry experience, sees far too often.

“I can’t tell you how many times we’ve quizzed someone on the compliance manual only to discover they didn’t always know what was in them. You could ask something like, ‘What does this policy mean here on page 86?’ and sometimes receive a look of confusion,” says Swiman.

Swiman stresses that compliance is one of the toughest gigs out there, requiring a certain level of expertise in a wide range of areas like cybersecurity, anti-money laundering and now Dodd-Frank compliance. It was against this backdrop he helped launch EisnerAmper Compliance and Regulatory Services last year, which is the tax and accounting firm’s new full service compliance consultancy unit.

What the SEC ultimately wants are policies and procedures that are accepted and understood by staff, Swiman continues.

“Really key on the important things. It’s sometimes better to have seven well-documented procedures as opposed to 70 more generalist ones. It’s when advisers have manuals running to 300 pages that they can get into trouble.”

Many CCOs are now creating “slimmed-down” versions of the manual, and staff are given a couple of weeks to digest and sign them, Swiman adds. These seven- to 10-page documents summarize all the main points of the larger manual, and should be easier to understand. “What you want to avoid is someone telling an inspector they didn’t understand some particular requirement because it was buried in a 150-page manual they signed but didn’t bother to read.”

He goes on to note that many CCOs make the mistake of including a “bunch of policy statements that quote or recite SEC rules” without explaining how the particular rule is being met and supervised internally. Compliance manuals, for example, may cite the SEC’s rule on custody without getting into how the firm ensures that the rule is safely met.

“Does the manual have a way to test custody compliance? Are there procedures that can be substantiated? You can recite any code of law you want, but if it’s not clear how to supervise or document how the rule is being met, it will fall short of SEC expectations,” says Swiman.

Taking ownership

Specifically, the SEC requires registrants to adopt policies and procedures “reasonably designed” to prevent violation of the federal securities laws, and review those policies and procedures on at least an annual basis.

What the rules don’t require is for CCOs to write any specific elements in the compliance manual, rather the policies and procedures adopted should be tailored to the firm’s business and operations.

This is where a lot of firms run into trouble, says Swiman. Typically, the CCO will retain legal counsel or work with a third-party service provider to begin drafting the compliance manual, but too often clients will accept an off-the-shelf manual that isn’t true to the firm’s operations.

“It’s smart to use outside counsel, but often a law firm will say ‘Here, just use this’ and it can be totally out of sync with what’s needed,” says Swiman. “It could include certain algorithms used by hedge funds for trading procedures, which looks silly for a firm that only does private equity.”

Worse still, the SEC will notice the oddity, leaving compliance officers in a difficult position to explain why unnecessary compliance policies are being adopted by the firm. To avoid losing credibility with inspectors, the CCO should engage senior management and other key personnel to identify areas of conflict risk, advises Swiman. “Even if a CCO is inheriting a set of compliance and procedures implemented by a predecessor, that same collaboration process should take place – it’s possible the previous CCO committed mistakes, or the firm evolved into new areas that require some further attention.”

Another mistake is accepting policies that are too broad or vague in their language, Swiman continues. He points to valuation and allocation of expenses as two prime examples where the compliance manual can lack substance. On valuation, Swiman notes, “The policy may say ‘an informal investment committee ultimately decides the asset’s value,’ which doesn’t tell you a whole lot.” As for allocation of expenses, a major area of interest for inspectors during exams, the policy and procedures may not match what was disclosed in marketing materials or regulatory filings.

Five years ago it may not have mattered much to GPs whether or not the compliance manual, if one existed, began gathering dust. But being under the heat of the SEC’s magnifying glass is prompting private fund advisers to think about their compliance policies and procedures in a much more diligent fashion. For Swiman, someone who witnessed firsthand the development of today’s compliance best practices, it’s an area in which he’s helping fund managers to take a crash course.